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(57) The present invention relates to the generation 
of a composite cryptographic key. In one example, we 
show how to specify an elliptic curve public key, an RS A 
public key and a DSA public key all In a single 2048 bit 
block. The method gives a wide choice of finite fields 
and curves for use in the ECC system and introduces 
no known security weaknesses. The method hence al- 
lows algorithm type to be decided at run time, rather than 
at the time the public keys are distributed. However, this 
is done without the need for very large key lengths. 
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Description 

Technical Field 

[0001] The present invention relates to cryptographic keys and particularly although not exclusively, to methods for 
generating cryptographic keys. 

Background Art 



[0002] Suppose Alice wishes to publish her public cryptographic key in some directory so that someone else, say 
Bob. can verify Alice's digital signatures, or send Alice secret messages. At present, Alice first has to decide on which 
of the three standard public cryptographic key algorithms to use: RSA, DSA or ECC. Given this, Alice then passes to 
a cryptographic key directory, or Certification Authority (CA), the bit pattern which represents her public cryptographic 
key for that given algorithm. If Alice wished to keep the choice of algorithm open, until the cryptographic key was 
actually used, then she would need to give the bit patterns of all three independent public cryptographic keys. 
[0003] Such a situation could arise where we do not knowhowthe public cryptographic key is to be used. For example, 
if Bob is going to verify signatures from Alice, or send messages to Alice, using a small constrained device, then RSA 
is probably to be preferred as the public cryptographic key operations are relatively much taster with RSA. If however. 
Alice's operations, whether signing or decryption, are to be performed on a small constrained device, then ECC is 
probably to be the preferred option. There may also be some situations where DSA Is the preferred option. 
[0004] In any case, if Alice wishes to make available all three public cryptographic keys in the directory, then, with 
current recommendations for cryptographic key sizes, she will require 1024 bits to specify her RSA cryptographic key 
another 1024 bits to specify her DSA cryptographic key (assuming a pre-agreed finite field is used) and another 170 
bits to specify an ECC public cryptographic key (assuming a pre-agreed curve is used). Hence, a total of 2218 bits are 
25 required. 

[0005] If the system requires that users should use different finite fields for DSA or different curves for ECC, then 
the number of bits required increases to at least 3500. In fact, Alice may prefer to use elliptic curves over odd charac- 
teristic fields, since she may be using a PC-based environment to perform her operations in. On the other hand, another 
user may prefer elliptic curves over even characteristic fields, since they may be using a dedicated hardware device. 
30 It IS also known that using the same finite field for DSA over a large number of users creates an attractive weakness, 
which could be exploited by an admittedly rich adversary, who has access to an extremely powerful computing platform 
If all three cryptographic keys where stored in their standardised ASN.1 notation, then the amount of storage required 
would be even larger. 

[0006] Another problem with using separate cryptographic keys occurs in the (admittedly) unlikely event that one of 
35 the three main public cryptographic key algorithms falls to an. as yet, unknown attack. If this "doomsday" scenario 
occurred, then all public cryptographic keys, and the associated public cryptographic key infrastructure, would need 
to be revoked and re-deployed for all cryptographic keys which used the given public cryptographic key algorithm. If 
all three public cryptographic key were published, then the public cryptographic key infrastructure would not need to 
be revoked and re-deployed and users would just switch from using the insecure algorithm to one of the secure ones 
40 Admittedly legacy signatures could then be forged (we shall not address this problem herein, but note it can be solved 
using a trusted time stamping authority). 

[0007] For convenience, therefore, for the above-mentioned reasons, it would be desirable to publish multiple cryp- 
tographic keys. However, the downside of this is the storage overhead for CAs, which would increase substantially 

Disclosure of the Invention 

[0008] The present invention aims to overcome the increase in storage requirement required for publishing multiple 
cryptographic keys, 

[0009] In accordance with a first aspect, the present invention provides a method of generating a composite crypto- 
graphic key comprising plural cryptographic key portions in such a way that the cryptographic key portions can be 
recovered from the composite cryptographic key wherein the bit length of the composite cryptographic key is less than 
the sum of the bit lengths of the plural cryptographic key portions. 

[0010] In accordance with a second aspect, the present invention provides a method of generating a composite 
cryptographic key composed of a primary cryptographic key and one or more secondary cryptographic key portions, 
by specifying the or each secondary cryptographic key portion and generating a primary cryptographic key such that 
embedded therein there is a predetermined portion comprising the or each secondary cryptographic key portion. 
[0011] Advantageously the composite cryptographic key is typically shorter in length than the sum of the lengths of 
the individual cryptographic keys comprised in the composite cryptographic key It is therefore possible to publish 
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multiple cryptographic keys, using the composite cryptographic key, without incurring too great a storage overhead 
increase. For example, in the three-cryptographic key scenario above, the storage requirement for all three crypto- 
graphic keys, were they all to be published, would normally be 2218 bits. As described in the detailed description below, 
the same three cryptographic keys can be combined into a composite cryptographic key comprising only 2048 bits, 

s which represents nearly a 10% storage saving. 

[0012] The present invention takes advantage of a well-known principle, having a number of different implementa- 
tions, which allows for the generation of a cryptographic key containing a certain pre-determined portion. Hitherto, uses 
of such a technique have been stated as to allow all members of a group of users to share some fixed number of bits 
of their RSA moduli, or to allow users to include a binary representation of their personal data in their RSA modulus [1 ]. 

10 [001 3] In accordance with a third aspect, the present invention provides a method of digitally signing data, comprising 
the steps of: 

using at least one private cryptographic key to sign the data; 

providing a composite cryptographic key as defined above, the composite cryptographic key comprising plural 
IS different public cryptographic key portions that correspond to the private cryptographic key or keys; and 

making the composite cryptographic key available for use by third parties. 

[0014] By signing the data with more than one cryptographic key in .parallel, for exarriple, Alice can ensure that the 
signatures remain valid until the last of the algorithms is made insecure. For electronic legal documents, for instance. 

20 that are needed to remain in force over many years (or even decades), this provides added security. 

[0015] In accordance with a fourth aspect, the present invention provides a method of encrypting data, comprising 
extracting plural different public cryptographic key portions from a composite cryptographic key. the composite cryp- 
tographic key having been generated as defined above, encrypting the data and then re-encrypting the data using at 
least two different ones of the cryptographic key portions. 

25 [0016] Thus, for example, encryption can be double or triple-locked using multiple publjc encryption cryptographic 
keys extracted from the composite cryptographic key. 

[0017] In accordance with a further aspect, the present invention provides a method of publishing plural public cryp- 
tographic key portions by generating a composite cryptographic key as defined above and then publishing the com- 
posite cryptographic key. 

30 [001 8] A further advantage of implementing a composite cryptographic key according to the present invention is that, 
say, ECC can be used to perform Alice's signature operations and RSA can be used to perform her decryption oper- 
ations, since it is not considered good practice to use the same cryptographic key for both signing and decryption. By 
using the composite cryptographic key, one uses the same public cryptographic key but in two different contexts. 

35 Brief Description of the Drawings 

[0019] Embodiments of the present invention will now be described by way of example only with reference to the 

accompanying drawings: 

40 Figure 1 is a table of integers n and c which produce a prime number q = 2" + c; 

Figure 2a is a diagram which illustrates a process for digitally signing data using multiple cryptographic keys; 
Figure 2b is a diagram which illustrates a process of verifying that data has been digitally signed according to 
Figure 2a; 

Figure 3a is a diagram which illustrates a process of encrypting data using multiple cryptographic keys extracted 
45 from a composite cryptographic key; 

Figure 3b is a diagram which illustrates a process of decrypting data that has been encrypted according to Figure 
3a; and 

Figure 4 is a flow diagram, which illustrates one way of embedding a pre-defined portion into an RSA cryptographic 

key. 

so 

Best Mode For Carn/inq Out the Invention. & Industrial Applicability 

[0020] The following text describes how to embed an RSA cryptographic key, a OS A cryptographic key and an ECC 
cryptographic key into one 2048 bit string. Such a string has a wide choice of finite fields to use for ECC, no restriction 
ss on which curve to use over this finite field and a virtually unique finite field in which to implement DBA. 

[0021] The algorithms described herein are described in sufficient detail to enable the skilled person to implement 
them in software, using standard cryptographic library routines, or in hardware. Further, only the algorithms for forming 
a composite cryptographic key are described herein. The algorithms for extracting cryptographic keys from a composite 



3 



EP 1 026 851 A1 

ZZ^:^ nlr^ItsS^er^" °' ^'^"^"^'"^ '^•VP'^S-P^'^ ^ey. and, 

in?ff^ ^II'^*'" """^^ P""''" '^^Ptog^aphic key wNI be specified, then the DSA public carptographic kev 

.nnri h V H 'h""" ^^^P'^S^^P^^^ ^^V' H^^^'". " ^^notes the number of bits of security In the S pSc p 

evTs a Lld'oTord"e.T''H',': °' '"^ °' ^^^"^"^ "^'^ ^"""^ corptographic key The DSA cryXgraph'c 

key IS a field of order around 2™ with a multiplicative subgroup of order around 2" 

S^^nrLI^n!,^'^"^"^ technique works In two main stages. First, the elliptic cun/e parameters and cryptographic keys 
Znr^^u "^^^ '"^""^ "^^y ^ ""'"^^^ °' '''•^ P°^«it.le. secondly, the bit pSSn of the 

o Iln t'^^ °^T': cryptographic key using a technique of Lenstra m examls 

of which will bo described at the end of this description. a I ' j. examples 

[0024] In summary, the technique allows a relatively short bit string to be intercreted as a varletv of n..hii^ .nw« 
graphic keys for dWerent algorithms. This allows add«La. functionally of .hi Xc^ pt^^^^^^^^^^ i^SruS: 

Iteled bv theTntt HO f "^IH ''''^'l^ "''VPtographic key algorithm to use dynamically rather than having this 
dictated by the entity deptoy.ng the public cryptographic key infrastructure; 

by allowing the algorithm choice to depend on the environment rather than on the Identity of the user; 

by providing the ability to cope with the scenario of a public cryptographic key system being declared weak; and 

jLT'f ^ mechanism to triple-lock an encryption or triple-sign a message with only relatively small cnrpto- 
graphic key size, thus giving added security over a longer period of time. 

!!^pr^r^'" ^1^^'°"- *"d«Pe"dent benefits arise from the proposed method of creating ECC cryptographic keys 

^famefe^anT '^T'^'h- T ^ °' ^P^""" ASN.1 definition oJo S cur^'e 

h- 1 T, cryptographic keys ,n X9.62 [4] means that cryptographic keys can take up a lot of bandSh TWs 
^n be a problem, gnren that ECC will typical^ be used in small, constrained devices, where bandwicSh is a problem 

Th. H r^^t'^"^^"^ ^'^^ disadvantages of pre-agreement and/or increased bandwidj 
[0026] The remainder of this description will use the following notation. If x and y are bit strings let xllv denote thP 

(wrth least significant bit last) and. for a number or finite field element y. let [y] denote the bit string which represents y 
The Elliptic Curve Public Cryptographic key 

[0027] By way of background, elliptic curves are described in detail in the book [2] and in [4]. 
The Finite Field 

,o ""''Ir' T ''"'^^ l^"^ '° ^P^^'^ ^'^ '^^'^^^ » or Odd characteristic It is necessarv 

on:tuid"chr: ^ '^^ °' ^^^^ ^" p-«-' -'ipt^c cur:;:Sm^ 

SSi ^^Tk"^ Characteristic field can then be done in the 8 bits needed to represent n assumina an 

t^ Zi. ti^r^'" " '° AltematK^ely. « the fields are restrfcted to ^0^7*^^ 

trinomial basis, then, we can represent the field using 



so another 8 bits are required to represent c. In practice, it is common to take n to be odd in this situation which is the 
81 most 15 brts, since it (s assumed n is always odd icn^'foa 
fSgSe °' Characteristic fields, fields of prime o«ler equal to the 
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[0031] If c is small, this gives a very efficient way of performing the field operations with no known loss of security. 
For convenience and efficiency, the present example will be restricted to fields of the above form with 150 < n < 255 
and 1 < c < 255. There are 174 such primes with 150 < n ^ 255 and 1 < c < 255, which are listed in the table in Figure 
1. Hence, there is a greater choice of odd characteristic fields than even characteristic fields. In addition, 15 bits are 
s required to represent q, 8 bits for n and 7 bits for c, since clearly c must be odd. 

[0032] Since both odd and even fields can be represented using 15 bits the choice of field can be represented in 16 
bits by using a single additional bit to specify whether the field is an odd or even case. Herein, the resulting bit string 
shall be represented as f. 

10 The Elliptic Curve 

[0033] Having chosen a field, an elliptic curve is then found over F^ using Schoof's algorithm [3]. It should be noted 
that a special elliptic cun/e is not being specified herein and so security is not being compromised. The elliptic curye 
is given by an equation of the form 

IS 

Y^ = X^+aX + b q odd, 

20 Y + XY = X + agA + ag q even 

[0034] Since, in the even characteristic case, n is chosen to be odd, ag e {0, 1} can be chosen. 
[0035] In the odd characteristic case it can be assumed that a will fit in an eight bit word. To see why this is so, it can 
be seen that Y2 = X^ + aX + b is isomorphic to Y^ = X^ + au^X + bu^ for some u G F^. Now, if q = 1 (mod 4), then there 
25 is a 25 percent chance of replacing a by any number a', by simply trying to extract the fourth root of aVa. If q = 3 (mod 
4), then there is an even better chance, namely 50 percent, of this working for any given a*. If a is specified by only B 
bits, then there is, at most a 



30 0.75^^ = 10"^^ 

chance that the curve found by Schoof's algorithm cannot be put in a fomi with a ^ {1 .... , 256}. In this unlikely situation, 
it is clearly possible to attempt to find another curve. 

[0036] Since b and a^ both require n bits to specify them, the elliptic curve E can be represented using only n+8 bits. 
35 The resulting string Is represented as e. 

The Group Order 

[0037] It is assumed that the curve order is divisible by a large prime 1 and 

40 



i qodd 

21 q even and = 1 

4/ q even and a^^O 



[0038] This is common practice and such elliptic curves are quite easy to find using Schoof's algorithm for the values 
of q in use today. By Hasse's theorem we have that t = q + i - #E(Fq) is bounded by Itl <> 2Vq. Hence, to specify the 
group order, and hence I, requires 2+n/2 bits. The resulting bit string we denote by o. 

The Generating Point 

[0039] Now will be specified a point which generates a subgroup of order I . A random bit string x of length 7 is selected 
and the field element {x} represented by x is considered. With probability 1/2. a field element y G F such that ({x}, y) 
G E(Fq) can be determined. If 
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P = tN,/ll({x},y) 

is computed, then, with probability around 22-", P = O and this value of x is rejected and the process is started aaain 

^'"Pt'^ '^"'ve point ({X). y) into a bit string, of length 8 bits. With rer^e^mi^o 
probabilrty. such a method .s practically guaranteed to find a suitable generating point ovenwneiming 

The Public Cryptographic key 

^ ""^'f '='yP'°9^^P'^''= key needs to be constructed. A random number, k. is produced, the private 
cryptographic key, vwth 1 < k < I and the public cryptographic key is computed 

Q = [k]P 

S°r^oit nl\ ^^'^''"^ °' '"^''^ '^-''ribed in [4]. Q can be represented by a bit string q of length 

[0042] Hence, to represent all the parameters of the elliptic cun^e public cryptographic key, the bit string 

X = n|e||o||p||q 

of length t = 16 + (n + 8) + (2 + ni2) + 8 + (n+1 ) = 35 + 5n/2 bits is required 
t , "^''^'^"ly ^ «««ient, there are many other ways of compressing an elliptic cun,e crvptoaraohic 

.iCqL";; [I, '"^ 

The DSA Public Cryptographic key 

[0O44] Using the prime I from above, which is of order 2". it Is possible to form the number 



T=|{X}'"^">«1*^+1 
[0045] Since {X) is a number of bit length t, the bit length of T is 

loggCT) = loggWH- ^ loggfX) = n + m - n = 177 

' *^ :^P°^!f T until a prime number. P = T + W is obtained. By the prime number theorem 
Th "T T"'' °" ^^^'^9^- ""'=^ ^° » '^-^ ^^^"'^ed that the b^engtl o^A^ 

dern^ed from the bit string X, and the prime I will divide P-1. It can be assumed that |2 does not divide P-1 which Z 
such a rare event that for practical purposes can be ignored. ' 
[0047] Next can be chosen a random number g of bit length less than 8, and 



(modP) 



TJ.ll^r^T'^ With probability 2-". one is obtained, in which case another random g of bit length less than 8 is 
[0048] The DSA public cryptographic key is then the number 



2 = h'^ (modP) 
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[0049] It should be noted that the same private cryptographic key is used for both the ECC and DSA schemes. This 
is not necessary and is done for convenience of description herein. However, use of the same private cryptographic 
key means the holder of the private cryptographic key is less likely to forget which private cryptographic key corresponds 
to ECC and which to DSA. 

s [0050] Finally, 2 is used to denote the bit string [z] of length approximately m bits, and Y is set as follows 

Y = Xll [X] II [g] 

10 [0051] So, Y is a bit string of length K = 43 + 5n/2 + iog2m bits. 
The RSA Public Cryptographic key 

[0052] As described below, and in more detail in [1], an m bit RSA modulus, N, can be constructed, which contains 
15 the bit string Y as either the leading or trailing portion of [N). This is possible assuming 

m > 86 + 5n + 2log2m. 

20 [0053] A common choice of 65537 is made for the public exponent. Finally, all three public cryptographic keys are 
. represented by the bit string 

[N] II Z 

25 

Of length 2m. In practice, typical values of n = 1 60 and m = 1 024 as used, which satisfy the above inequality with ease. 
Security 

30 [0054] Clearly, if the above scheme is followed, the choice of elliptic curve parameters do not affect the security of 
the system. Neither does the choice of DSA parameters, although the choice of such a value of P could possibly lead 
to small degradations in performance when compared to sparse values of P used in some reported DSA signature 
implementations. 

[0055] The discussion in [1 ] should convince the reader that the resulting RSA public cryptographic keys provide no 
35 toss in security compared to more general RSA moduli. 

Generating an RSA Cryptographic key With a Pre-determined Portion 

[0056] In the following description, d G 2>i denotes a fixed radix. A "digit" refers to a digit in the radix d representation. 
40 For a positive integer r its length Irl refers to the length of r*s radix d representation with non-zero leading digit. 

[0057] The length of the RSA modulus R to be constructed is denoted by m, the length of the pre-determined portion 
Y of R is denoted by K with K < m, and L = m - K. As before, the concatenation of two arrays of digits a^ and a^ is 
denoted a^HaQ. Below, methods are presented to construct RSA moduli with radix d representation sjjr and rt|s. [1 ] further 
presents other RSA nrKxiuli, including s^||ij|sQ. 

45 

By Fixing the leading digits of R 

[0058] With reference to Figure 4, in step 30. let Y be a number of length K; in this case Y is the pre-defined portion 
comprising one or more cryptographic keys. Then, the number R' = Y * d*- of length m is computed in step 31 . Next, 
50 in step 32, a random prime p of length at most L is picked and R' is rounded up to the nearest multiple of p in step 33. 
q' is an integer selected in step 34 such that R' = p * q*. In step 35, the smallest non-negative integer t is found such 
that q = q' + 1 is prime. If the resulting R = p * q is found to be of the form Y||r in step 36, then R, p and q are returned 
in step 37 and the process ends in step 38; othenwise, the process returns to step 31 with the same Y 

55 Alternatively By Fixing the trailing digits of n 

[0059] Let Y be an array of K digits that corresponds to an odd number (where Y may have leading digits zero). First, 
a random prime p of length at most L and a random number x of length L-lpi are picked. Next, let q' = x * d^^ + ((Y/p) 
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process is started again with the same s ' '^'"""^ ^^^^^ ^^'^^ the 

SgraiXlLr S;::;^^^^^^^^^^^^ : T'^^^^. ^ r.lnea portion into ano.h. 

of a cx^mposite cryptographic key \^ileXo e,famnT« If k i ^ "'"^"'^ ^" advantageous result: the concept 
described above there are ^aX o*^«r JT^o? k ennbedd.ng pre-determined strings in an RSA modulus are 
it is known to ern^e^pZ^lTLr^^^^^^ '''' '^^^ F"«hera,ore, 

keys [5]. It is clearly theref^e fTrstlTl "hin °' c^tographic key, for example DSA cryptographic 

on the basis of thl'Sem discrsu e' VeT^^Z'^J^LTZT.^V^T^^^^ " cryptographic key. 

a.gor«h..orembeddingap..eterminedporira^7:ari^^^^^^^^^^^^ 
Signing Data Using Multiple cryptographic keys 

^^^n^^l^^cl^^l^:^^^ ^'^"'r"^' ^" -e a document m, by taking 

10. DSA 11 and RSA 12. Th^Ston Ssl^iTa^^^^^ IT ' T"''''"' ''"^ ^""''^P""" ' 
document, producing three signatre?sl sTand «^ rltf "^^J^spective private cryptographic keys to sign the 
example, passed to a recipie JoTpubNshed ^^P— '^'nally. .ho signed data m. si. s2 and s3 are. for 

Sto'ssroCi^s^^^^^^^ 

lished. ^ ycipnic Key. as aescnbed above, and the composite cryptographic key is pub- 

Sra?hTk:tsltr,;m're^S '^"T^"^ ^^P^^-P^^^ and extracts the public 

Sto'uSThrrtlpTemr^^^^ 

[0065] ^''--ly.anyappropnatecombinationandnumberofdifferentcjtographlckeysmaybeusedtosignda.a. 

Encrypting Data Using Multiple cryptographic keys 

o?a"cL';j:r^^^;irkt'' '^""^ '^^^^ ^^'^ ^ - taking ad- 

t^biis^d^trrSr^^^^^^^^^ 

key and encrypts the document usrng ea'hrbtcrvm^^^^^^ 
urrientn using: an ECC encryptio^eng^e 15 o pTSu^^^^^^^^^ 

produce an encrypted document n" and an Rsl tiooumenX n'; a DSA' encorption engine 16 to 

crypted document n" is said to be tnpl-lcJked PinaTv'^^rr^^f ^ ""'TT ^" ^''^'^'^ en- 
the recipient. '"^"y- ^^"^^^ transmits the document, for example via e-mail, to 

ScaS;;rplTr^,r^^^^^ ^ — P— - — d in Figure 3b. 

document m"; a DSA decrrpti^englneTg to r^uce a sinote ^^^^ h^h'^" °" ^"''"^ ^ double-locked 

return the original document n. ^ -"S-e-^cKea oocument n'; and an ECC decryption engine to 

Eres^icrtre rut ^"^^'^^^^^ " °' ^he three cryptographic infra- 

[ODJO, Obviously, any appropriate combination and number o, deferent cryptographic keys may be used to encrypt 
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Claims 

1 . A method of generating a composite cryptographic key comprising plural cryptographic key portions in such a way 
that the cryptographic key portions can be recovered from the composite cryptographic key wherein the bit length 
of the composite cryptographic key is less than the sum of the bit lengths of the plural cryptographic key portions. 

2. A method of generating a composite cryptographic key composed of a primary cryptographic key and one or more 
secondary cryptographic key portions, by specifying the or each secondary cryptographic key portion and gener- 
ating a primary cryptographic key such that embedded therein there is a predetermined portion comprising the or 
each secondary cryptographic key portion. 

3. A method according to claim 2, wherein the primary cryptographic key comprises an RSA cryptographic key having 
embedded therein a predetermined portion comprising the or each secondary cryptographic key portion. 

4. A method according to claim 2 or claim 3, wherein a secondary cryptographic key portion comprises an elliptic 
curwe cryptographic key. 

5. A method according to claim 4. wherein the elliptic curve cryptographic key is compressed for the purpose of being 
embedded in the primary cryptographic key. 

6. A method according to claim 5, wherein the elliptic curve cryptographic key is compressed by reducing the bit 
length of the generating point representation. 

7. A method according to claim 6, wherein, for a given elliptic curve E over a given finite field F^, the elliptic curve 
generating point P is generated by a process comprising the steps: 

(a) compute x. a random string of bit length less than or equal to seven; 

(b) determine whether a corresponding y exists, where y G such that ({x}, y) G E(Fq) 

(c) if y does not exist, return to (a), otherwise continue with (d) 

(d) compute the generating point P = [Nq/1] ({x}, y) 

(e) determine whether P = O 

(f) if P = O, return to (a), otherwise continue with (g) 

(g) use (x, y) to represent the generating point P. 

8. A method according to any one of claims 2 to 7, wherein a secondary cryptographic key portion comprises a DSA 
cryptographic key portion. 

9. A method according to claim 8, wherein the DSA cryptographic key portion is compressed for the purposes of 
being embedded in the primary cryptographic key. 

10. A method according to claim 9, wherein the DSA cryptographic key portion generator h is generated by a process 
comprising the steps: 

(a) compute a random number g of bit length less than or equal to eight; 

(b) compute h = g(P-"»V' (mod P); 

(c) if h = 1, return to (a), otherwise h represents the generating point. 

11. A method according to any one of claims 2 to 10, wherein there are both elliptic curve and DSA secondary cryp- 
tographic key portions, and wherein the cryptographic key portions share a common private cryptographic key. 
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12. A method of digitally signing data, comprising the steps of: 



using at least one private cryptographic key to sign the data; 

providing a composite cryptographic key generated as claimed in any one of the preceding claims, the com- 
posite cryptographic key comprising plural different public cryptographic key portions that correspond to the 
private cryptographic key or keys; and 

making the composite cryptographic key available for use by third parties. 



13. A method of verifying the origin of data signed according to the method of claim 12, comprising extracting the 
different public cryptographic key portions from the composite cryptographic key and using at least one of the 
different public cryptographic key portions to verify the origin of the signed data. 



14. A method of encrypting data, comprising extracting plural different public cryptographic key portions from a com- 
posite cryptographic key, the composite cryptographic key having been generated in accordance with any one of 
claims 1 to 11 , encrypting the data and then re-encrypting the data using at least two different ones of the crypto- 
graphic key portions. 

15. A method of publishing plural public cryptographic keys by generating a composite cryptographic key according 
to any one of claims 1 to 11 and then publishing the composite cryptographic key. 
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